More Related Content
Similar to Инциденты с использованием ransomware. Расследование (20)
More from Positive Hack Days (20)
Инциденты с использованием ransomware. Расследование
- 1. 1ACRONIS © 2017
ENTERPRISE FORENSICS:
RANSOMWARE INCIDENTS
Mona Arkhipova
Unit Manager of information security architecture and monitoring
POSITIVE HACK DAYS VII, Moscow, Russia
- 2. 2ACRONIS © 2017
#whoami
Unit Manager of information security architecture and
monitoring, Acronis
Past:
• Head of SOC and OPS monitoring, Lead information security
expert at QIWI group;
• Security analyst at General Electric (GE Capital);
• Independent security consultant at fintech start-ups;
• *nix systems and network administrator
- 3. 3ACRONIS © 2017
Previous year references (Backwards)
Enterprise forensics 101 (for those who’d missed)
https://www.slideshare.net/monasax1/enterprise-forensics-101
http://2016.phdays.ru/broadcast/
Let’s apply the basics to the real case
- 4. 4ACRONIS © 2017
What is Ransomware?
• Started with simple
lock-screens
• Evolved to
cryptolockers
• “Pay-to-unlock”
- 6. 6ACRONIS © 2017
Backwards: First steps
• Write down all the non-technical incident details – gathered user
answers
• Possibility of live response? – yes, in the same area
• Grab all the checksums/hardware details/images/etc – next
• Inspect all the related systems (if applicable) - next
- 7. 7ACRONIS © 2017
Backwards: Windows live response
• MIR-ROR script with Sysinternals suite package
• DLLs, setupapi.log
• Mapped drives, opened shares
• Prefetch
• Policies
• RAW registry files (hives)
• Autorun, NTUSER.DAT from all accounts
• Imaging software: AccessData FTK imager (image+memdump)
- 8. 8ACRONIS © 2017
Backwards: Imaging
• Prepared a proper drive for imaging
• Write down date, time, S/N and size of the device
• Dump memory with FTK imager or Memoryze
• Image with FTK Imager in RAW mode, write checksum for report
• Gather all the files hierarchy
• Begin to prepare your live stand
- 9. 9ACRONIS © 2017
Imaging: report notes
Physical Evidentiary Item (Source) Information:
[Device Info]
Source Type: Physical
[Drive Geometry]
Cylinders: 30,401
Tracks per Cylinder: 255
Sectors per Track: 63
Bytes per Sector: 512
Sector Count: 488,397,168
[Physical Drive Information]
Drive Model: Samsung SSD 850 EVO M.2 250GB
Drive Serial Number: S33CNX0H536900H
Drive Interface Type: IDE
Removable drive: False
Source data size: 238475 MB
Sector count: 488397168
[Computed Hashes]
MD5 checksum: 4d4cc4e6c7c21d93ff62909368f7a10f
SHA1 checksum: 0f12c8c0456c09685e98c06e4f2407a3c1e29af9
Sample note
Disk imaging has been performed with
AccessData FTK imager in RAW (dd) mode.
Acquisition started: Mon Jan 30 14:06:22 2017
Acquisition finished: Mon Jan 30 15:49:15 2017
http://accessdata.com/product-download/ftk-imager-version-3.4.3
- 10. 10ACRONIS © 2017
Digital forensics stand
• May be Physical or Virtual (preferable physical)
• Win7 or later
• SW for R/O mount: FTK Imager or OSFmount
• SW for MFT investigation: Mft2Csv
• AV tools, KFF (if needed), FAR and so on
- 12. 12ACRONIS © 2017
Investigating
• Known files DB if you’re using enterprise suites
• User-related incident:
• IM logs
• Browsers history and cache
• Recently opened files and downloads
• Devices history
• Remote control tools artefacts
• You may try to run some AV tools against the RO image:
- 13. 13ACRONIS © 2017
MFT fun – origin timestamps
• Temp folder (first point found)
• Browsers folders
• MFT
- 14. 14ACRONIS © 2017
MFT fun – drill-down
Files in the same time in temp locations (suspected download)
- 16. 16ACRONIS © 2017
Original attachment
Original file had been lost: only the executable had been found on FS. Finding audit trails on the user and file:
- 17. 17ACRONIS © 2017
Sandboxing (fast way)
You may use public(malwr, hybrid analysis) or private (such as
Cuckoo) sandboxes for fast investigation on calls.
Infection path overview
1. User downloads the file Ground-Label-05496793.doc.zip
2. This archive file contains one more Ground-Label-
05496793.doc.zip in it
3. After double-clicking both archives unzipped one by one and
original .lnk file with notepad icon extracted
4. Dropper script execution
- 18. 18ACRONIS © 2017
Dropper
• The dropper script is continuously connecting to CnC domain with
the following requests, downloads the a1.exe (or a2.exe)
attachment
- 20. 20ACRONIS © 2017
Meanwhile in system
• Two random test files %TEMP%a.doc and %TEMP%a.txt with 10000b length
created (seems like it’s for testing purposes only) and the following script is injected
to HKCU hive
• The file with decryption instructions added to FF or another default browser
• Execution of self-destroy
- 21. 21ACRONIS © 2017
Case Conclusion & Recovery
Investigation revealed user mistake and problems with AV on
system (had not prevented infection)
• User downloaded the file from CRM case
• Tried to run
• ”No result” (encryption started in background)
Workstation recovery
• Rolled back from backup copy
• Reinstalled AV for proper work
- 22. 22ACRONIS © 2017
Backwards: Enterprise notes
• Export all the related information from your security tools
• IDS/IPS,
• firewall logs,
• proxies,
• SIEM records,
• DLP,
• AV alerts
• Sometimes the initial point of compromise is not what you’ve
suspected
• If you do not see something strange in your SIEM – it is not a
reason to relax.
• Perform regular agents review on every subsystem
- 23. 23ACRONIS © 2017
Backwards: Reporting
Forensics part
Common information
• Case summary (brief overview what’s
happened and when)
• Serial numbers, make, model etc.
• All the preparation steps
Investigation process
• Tools used, start and end dates
• Detailed information about process –
artifacts, pictures, documents…
Conclusion
Incident response part
• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons learned
(I know you still hate doing that ;))